From owner-freebsd-chat  Fri Apr 19 14:46:33 2002
Delivered-To: freebsd-chat@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id A7D0337B41E
	for <chat@freebsd.org>; Fri, 19 Apr 2002 14:46:26 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id PAA08056;
	Fri, 19 Apr 2002 15:46:10 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020419152309.035a96d0@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Fri, 19 Apr 2002 15:45:56 -0600
To: Terry Lambert <tlambert2@mindspring.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: How to control address used by INADDR_ANY?
Cc: chat@freebsd.org
In-Reply-To: <3CC088D4.F21A3656@mindspring.com>
References: <4.3.2.7.2.20020419144005.0358c610@nospam.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-chat.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-chat>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-chat>
X-Loop: FreeBSD.org

At 03:15 PM 4/19/2002, Terry Lambert wrote:

>Brett Glass wrote:
>> As best I can tell, the trouble is that when a process running on the
>> router itself opens an outbound socket with INADDR_ANY (which most
>> networked applications do), it picks 10.X.Y.Z as the source address
>> instead of A.B.C.1.
>
>INADDR_ANY means "I don't care".  FreeBSD's "I don't care" is a
>bit different in implementation than Cisco's "I don't care".  8-(.
>
>Since you apparently *do* care, you must bind a specific address
>for outbound connections.

Unfortunately, "you" consists of any application that might be
running on the box. And few, if any, of the standard apps one is 
likely to use in administration offer you the option of specifying 
a source address explicitly. For example, suppose I want to bring
in a patch or some code via anonymous FTP. I can't, because the 
Berkeley FTP client doesn't let you specify a source address.

>> What's the easiest way to specify the address to be used as the source
>> address when an app opens an outbound socket with INADDR_ANY? I'm unclear
>> about how the system is picking it now (I haven't yet found the place in
>> the source where this decision is made), but it seems to be picking
>> 10.X.Y.Z, which of course will not work.
>
>It picks the first address on the first interface on the subnet
>for the destination address in question, 

When the machine is going out to the Internet at large, the
destination isn't on any of those subnets.

>Probably you can make it work by setting the IP address to the
>one for the bridged network, 

I'm not sure I follow. There's no bridged network here.

>and then setting the 10. address
>to be the alias, instead of the bridged address.

The only addresses that are "legal" on the ISP's
internal subnet are 10. addresses, by policy. I
could try something like specifying the address as
127.0.0.2 with the 10. address as an alias.... The
default IPFW rules would keep any packets with a source 
address of 127.0.0.2 from actually leaving the interface.
But this is kinda dicey... and I don't know what the
stack will do. Will apps wind up with sockets that have
127.0.0.2 as a source address?

>Really, this is a bug in the FreeBSD code, in that it is not
>treating the IP address/port pair on the destination as the
>route to choose the "proper" origin address.

Actually, it may just be an omission. Just as we can set a
default gateway, it might be nice to be able to set a default 
IP for outbound sockets. (INADDR_ANY has different semantics when
one is listening, of course, so it's only the outbound case
that we need to worry about.) Or we might be able to set a flag
that disqualifies an interface from having its address(es) used as 
the source address when INADDR_ANY is used. (This is probably done 
for lo0 now. I don't know for sure, but I'll bet that the code
notices the LOOPBACK flag and disqualifies the interface.) The
new flag could be set and viewed via ifconfig.

>Short of rewriting a lot of the stack to reorder the anonymous
>address handling (e.g. to make it work like Cisco equipment
>does), 

There may be a single assignment statement somewhere that could 
be made to grab the address from a sysctl variable. Terry, you 
know the network code better than I.... In what file is INADDR_ANY 
converted into a specific source address? What logic is used to
determine which addresses are suitable?

>it's probably best to just bind outgoing interfaces
>manually, and deal with the netmask in your proxy app.

I won't want to rewrite every application I might use on the
box! Adding a mod to the stack would be easier... unless there's
some way to get the existing code to do The Right Thing.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message